topic Re: How to disable http/https portal on vSec gateway? in Firewall and Security Management

How to disable http/https portal on vSec gateway?

Thomas_Pereira — Wed, 05 Jul 2017 14:14:49 GMT

We have two Security Gateways under the same management server. We need to disable outside access to the web portal on the vSec gateway.

This traffic is accepted by an implied rule. We did disable every single implied rule on the smart dashboard and try to edit the implied rules file in the path $FWDIR/lib.

But the ports 80 and 443 are still open.

How could disable the outside access to this service?

Re: How to disable http/https portal on vSec gateway?

Jay_Jeffcoat — Wed, 05 Jul 2017 18:38:37 GMT

When you say "disable outside access" There certainly shouldn't be an implied rule that allows outside access to your firewalls. You should have a rule in your policy that allows certain hosts to access your firewalls(ssh, webui, etc), but then have a stealth rule directly below that preventing all other source traffic from hitting your firewalls.

Re: How to disable http/https portal on vSec gateway?

Thomas_Pereira — Wed, 05 Jul 2017 18:49:34 GMT

Jay.

We have a stealth rule in place.

And in the log the traffic is being allowed by Implicit rule 0.

Re: How to disable http/https portal on vSec gateway?

Jay_Jeffcoat — Wed, 05 Jul 2017 21:57:40 GMT

Can you be more specific on what you're describing as "outside" access? Also, please post details about the actual implied rule that it's hitting on? Obviously something isn't making since, you stated you disabled every implied rule yet the traffic is still permitted

Re: How to disable http/https portal on vSec gateway?

Thomas_Pereira — Thu, 06 Jul 2017 10:12:40 GMT

"Outside" is the Internet. In Azure the vSec has two interfaces one internal and one external this last being the one that leads to the Internet. The goal is to limit the access to the internal interface.

Re: How to disable http/https portal on vSec gateway?

Peter_Sandkuijl — Thu, 06 Jul 2017 13:44:28 GMT

Hi,

Rule 0 can also indicate a setting that has a portal function and that is controlled by a property. As an example the identity awareness captive portal will listen. On what ports and interfaces depends on your configuration. I suspect what you see is similar to this and I advise you check those settings. By default they will have "internal interfaces" but that may be less relevant for vSEC, depending on how you deployed

Good luck

Peter !!

Re: How to disable http/https portal on vSec gateway?

PhoneBoy — Thu, 06 Jul 2017 16:09:39 GMT

Multiportal issue, I think.

Refer to the following SK: HTTP and HTTPS requests to external interfaces create implied rule 0 accepts in SmartView Tracker

Re: How to disable http/https portal on vSec gateway?

Thomas_Pereira — Thu, 06 Jul 2017 20:44:10 GMT

Dameon,

Thanks for the help, in this SK I have found the correct file to edit and stopped the http redirect.

Also I was able to find what was enabling the https portal. It was the visitor mode for vpn clients, once disabled the https was closed.

Re: How to disable http/https portal on vSec gateway?

_Val_ — Fri, 07 Jul 2017 07:49:28 GMT

If you are looking to disable WebUI completely, use "set web daemon-enable off"
Do not forget "save config"